Date post: | 09-Feb-2017 |
Category: |
Documents |
Upload: | robert-bond |
View: | 46 times |
Download: | 0 times |
EU General Data Protection Regulation and
ProcessorsRobert Bond, BA, CCEP
Tel:
2
PartnerRobert Bond, CCEP
"astounding” Legal 500, 2015"absolutely exemplary" and the fact that his knowledge of data protection law is "astounding, and his application equally impressive." Chambers UK, 2016
Robert Bond has over 37 years' experience in advising national and international clients on all of their technology, data protection and cyber law requirements. He is a legal expert and author in the fields of e-commerce, computer games, media and publishing, data protection, information security and cyber risks.
He is Secretary of the Board of SCCE, Chairman of the Big Data Governance committee of Tech UK and a member of the UN Data Privacy Advisory Group to the United Nations
He is an Ambassador for Privacy by Design
1 May 20233
Current EU law Overview of GDPR Controllers and processors Contractual needs Use of sub-processors Role of DPO Trans border data flows Due diligence
Today’s topicsGDPR and Processors
1 May 20234
Term DefinitionData Controller A person who (either along or jointly in common
with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed
Data Processor Any person who (other than an employee of the data controller) who processes the data on behalf of the data controller
Personal data Data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller
Data Subject An individual who is the subject of personal data
Key definitionsQuick recap
1 May 20235
Term DefinitionSensitive personal data
Racial or ethnic origin, Political opinions, Religious beliefs
Trade Union Membership, Physical or mental health condition, Sexual life, Criminal offences
Processing Recording or holding the information or data or carrying out any operation or set of operations on the information or data
DPA/Supervisory Authority
Tasked with the protection of personal data and privacy and take enforcement action against those who do not comply with the data protection law
Privacy Impact Assessment
A tool that you can use to identify and reduce the privacy risks of your projects. A PIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help you to design more efficient and effective processes for handling personal data (DPA)
Key definitionsQuick recap
1 May 20236
8 Key principles of DP lawPersonal data must…
Be processed fairly and lawfully
Only be processed for one or more specified and lawful purposes and not further processed in a manner incompatible with those purposesBe adequate, relevant and not excessive
Be Accurate and where necessary kept up-to-date
Not be processed for longer than is necessary
In accordance with data subjects’ rights
Be protected by appropriate technical and organisational security measures
Not be transferred outside of the EEA unless that country ensures an adequate level of protection for personal data
Key principlesQuick recap
General Data Protection Regulation
Scope of regime:
Wider definition of Personal Data
All organisations
Pan-European (no local legislation)
Extra-territorial application
7
General Data Protection Regulation• Documentation• Breach notification –
Regulator & Data subject Privacy Impact Assessments
• Compulsory DPOs• Certifications and seals• International transfers• One-stop shop regulation• Cooperation and
consistency• EU Data Protection Board• Fines• Sector exemptions – e.g.
Media & Health
• Definitions of Personal data
• Consent• Children’s (Parental)
consent• Information• Data Subject rights &
access• Right to be forgotten• Data portability• Controller and Processor
responsibilities• Data protection by design
and default• Designation for non-EU
controllers 8
1 May 20239
Applies to controllers and processors established in EU
Applies to any controller and processor not located in the EU where the processing activities are related to:
The offering of goods or services to data subjects in the EU, irrespective of whether a payment is required; or
The monitoring of their behaviour as far as their behaviour takes place within the EU
Applicability – New lawPreparing for GDPR
1 May 202310
Controllers or processors not established in the EU but where Article 3(2) applies must designate in writing a representative
Representative must be established in a member state where the data subjects whose data are being processed by the controller or processor are located (or where most of them are located)
All DP issues from data subjects / data protection authority should be addressed to the representative
The designation of the representative does not affect the responsibility and liability of the controller or processor under the Regulation
Representatives of controllers / processors not
Preparing for GDPR
Controller must ensure processor will comply with GDPR
Must be an appropriate contract between controller and processor
Processor must have adequate information security Processor must not use sub-processors without
consent of the controller Processor must co-operate with the relevant DPA Processor must report data breaches to controller
without delay Processor may need to appoint a DPO Processor must keep records of processing activities Processor must comply with EU trans border transfer
rules Processor must help controller comply with data
subject rights Processors are directly liable for non-compliance
GDPR and processors - overview
Documented instructions Confidentiality Information security Control of sub-processors Measures to help controller comply
with data subject rights Co-operation with controller and
DPA Destruction or return of data at end
of contract Provide controller with evidence of
GDPR compliance
Contractual needs
No use of sub-processors without consent of controller
Any third party processing personal data for a processor is a sub-processor
Sub-processors must be contractually controlled
Controllers are likely to do considerable due diligence
Use of sub-processors
1 May 202314
Notifications abolished Applies to both controllers and processors Mandatory requirement for:
Public authorities Where the core activities…consist of
processing operations which, by virtue of their nature, scope and / or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
Where the core activities…consist of processing on a large scale of special categories of data and data relating to criminal offences
Data Protection Officers / Notifications – New Law
DPO
1 May 202315
Possible to have one DPO for a group of undertakings provided that the DPO is ‘easily accessible from each establishment’
DPO can be a member of staff or on a service contract
Contact details of DPO must be provided to the supervisory authority
DPO must have ‘expert knowledge of data protection law and practices’
Must be ‘independent’ Must report to the ‘highest
management level’
Data Protection Officers / Notifications – New Law
DPO
1 May 202316
Tasks of DPO
Inform and advise the controller or processor and the employees who are processing personal data of their obligations under the Regulation
Monitor compliance with the Regulation, including the assignment of responsibilities, awareness-raising of staff involved in processing operations and the related audits
To provide advice where requested as regard data protection impact assessments
Co-operate with the relevant data protection authority (DPA)
To act as a contact point for the DPA , in particular in relation to prior consultations referred to in Article 34
1 May 202317
Safe Harbor Privacy Shield European Commission approved
Model Contract Clauses Binding Corporate Rules Consent (although precarious to
rely on) Codes of Conduct (Article 38) Certifications / Seals (Article
39)
Data Transfers – New LawTrans border data flows
1 May 202318
Data subjects rights – New LawData Subject Rights
Data Subjec
t Rights
Information(Art 14)
Access(Art 15)
Rectification
(Art 16)
Erasure(right to be forgotten)(Art 17)Restriction
of processing (Art 17a)
Data portability(Art 18)
Object(Art 19)
Automated decision making / profiling (Art 20)
1 May 202319
Sanctions for non-compliance – two levels of fines…
Up to the greater of 2% annual worldwide turnover of preceding financial year or EUR 10 million – for matters re internal record keeping, data processor contracts, data protection officers, data protection by design and default
Up to the greater of 4% annual worldwide turnover of preceding financial year or EUR 20 million – for matters re breaching data protection principles, conditions for consent, data subjects’ rights and international data transfers
Sanctions for non-compliance – New LawEnforcements and fines
Due diligenceGDPR compliance
Data Protection audit Do they process personal data and sensitive data? What are their data flows? What are their information security policies & procedures? Have they had any breaches – notified or not? Have they been audited by a DPA? Who is their DPO?
Document data processing activities Data processing map – intra group and third parties Do they claim any ownership of personal data Retention and destruction practices Use of sub-processors
Review policies & procedures Data breach response policy and procedures Data sharing policy and procedures Vetting of staff Information security and cyber risk? Training
20
Processors should…. Carry out a compliance
assessment Rewrite their terms of business Audit their sub-processors Review their insurance Address data transfer solutions Consider if they are a
processor/and or a controller Assess their policies &
procedures Decide if a DPO is necessary Anticipate their customers’
needs Put in place staff training
Questions?